US7334254B1 - Business-to-business security integration - Google Patents

Business-to-business security integration Download PDF

Info

Publication number
US7334254B1
US7334254B1 US10/631,984 US63198403A US7334254B1 US 7334254 B1 US7334254 B1 US 7334254B1 US 63198403 A US63198403 A US 63198403A US 7334254 B1 US7334254 B1 US 7334254B1
Authority
US
United States
Prior art keywords
security
enterprise
data
user
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US10/631,984
Inventor
Kenneth C. Boydstun
Bala Balasubramanian
Mouaz Allababidi
Rohit D. Janu
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
T Mobile Innovations LLC
Original Assignee
Sprint Communications Co LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Assigned to SPRINT COMMUNICATIONS COMPANY, L.P. reassignment SPRINT COMMUNICATIONS COMPANY, L.P. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ALLABABIDI, MOUAZ, BALASUBRAMANIAN, BALA, BOYDSTUN, KENNETH C., JANU, ROHIT
Application filed by Sprint Communications Co LP filed Critical Sprint Communications Co LP
Priority to US10/631,984 priority Critical patent/US7334254B1/en
Application granted granted Critical
Publication of US7334254B1 publication Critical patent/US7334254B1/en
Assigned to DEUTSCHE BANK TRUST COMPANY AMERICAS reassignment DEUTSCHE BANK TRUST COMPANY AMERICAS GRANT OF FIRST PRIORITY AND JUNIOR PRIORITY SECURITY INTEREST IN PATENT RIGHTS Assignors: SPRINT COMMUNICATIONS COMPANY L.P.
Assigned to DEUTSCHE BANK TRUST COMPANY AMERICAS reassignment DEUTSCHE BANK TRUST COMPANY AMERICAS SECURITY AGREEMENT Assignors: ASSURANCE WIRELESS USA, L.P., BOOST WORLDWIDE, LLC, CLEARWIRE COMMUNICATIONS LLC, CLEARWIRE IP HOLDINGS LLC, CLEARWIRE LEGACY LLC, ISBV LLC, Layer3 TV, Inc., PushSpring, Inc., SPRINT COMMUNICATIONS COMPANY L.P., SPRINT INTERNATIONAL INCORPORATED, SPRINT SPECTRUM L.P., T-MOBILE CENTRAL LLC, T-MOBILE USA, INC.
Assigned to SPRINT COMMUNICATIONS COMPANY L.P. reassignment SPRINT COMMUNICATIONS COMPANY L.P. TERMINATION AND RELEASE OF FIRST PRIORITY AND JUNIOR PRIORITY SECURITY INTEREST IN PATENT RIGHTS Assignors: DEUTSCHE BANK TRUST COMPANY AMERICAS
Assigned to T-MOBILE INNOVATIONS LLC reassignment T-MOBILE INNOVATIONS LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SPRINT COMMUNICATIONS COMPANY L.P.
Assigned to SPRINT SPECTRUM LLC, T-MOBILE USA, INC., CLEARWIRE COMMUNICATIONS LLC, ASSURANCE WIRELESS USA, L.P., IBSV LLC, T-MOBILE CENTRAL LLC, BOOST WORLDWIDE, LLC, CLEARWIRE IP HOLDINGS LLC, SPRINTCOM LLC, SPRINT INTERNATIONAL INCORPORATED, PUSHSPRING, LLC, LAYER3 TV, LLC, SPRINT COMMUNICATIONS COMPANY L.P. reassignment SPRINT SPECTRUM LLC RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: DEUTSCHE BANK TRUST COMPANY AMERICAS
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to the authentication and authorization of users of computer systems. More particularly, embodiments of the present invention use an enterprise's internal security systems to authenticate and authorize users outside the enterprise.
  • a first enterprise interacting with a second enterprise may need to request access to the second enterprise's data.
  • the second enterprise would typically require that the first enterprise be authenticated and authorized by a security mechanism within the second enterprise.
  • the second enterprise might have servers, software, and data stores dedicated solely to the authentication and authorization of such outside users. Other servers, software, and data stores within the second enterprise may be dedicated to the authentication and authorization of internal users.
  • An embodiment of the invention is a system for controlling access to computing resources within an enterprise.
  • the system can consist of a web server and a web security agent controlling access to Uniform Resource Locators (URLs), a security gatekeeper and an access server controlling access to Application Programming Interfaces (APIs), and a core security framework used by both the web server and web security agent and the security gatekeeper and access server to store security data and policies and approve or deny requests for access to URLs and APIs.
  • the access server can be a Standard Object Access Protocol (SOAP) server.
  • SOAP Standard Object Access Protocol
  • the core security framework can consist of a policy store, a data store, and a policy server, where the data store can be a relational database or a directory.
  • the core security framework Upon the core security framework approving a request for access to an API, the core security framework can create a session token and attach the session token to the approved request.
  • the session token can provide access to the API for the duration of a session.
  • An alternative embodiment is a system for communication between two independent computing domains.
  • the system can consist of a security gatekeeper within the second domain, a core security framework coupled to the security gatekeeper, and an access server coupled to the security gatekeeper.
  • the security gatekeeper can intercept an invocation from the first domain to an API in the second domain and can send security-related information in the invocation to the core security framework.
  • the core security framework can authenticate the entity making the invocation and authorize the entity to invoke the API.
  • the core security framework can then inform the security gatekeeper that the entity making the invocation has been authenticated and authorized.
  • the security gatekeeper can then inform the access server that the entity making the invocation has been authenticated and authorized and the access server can provide the entity making the invocation with access to the API.
  • the same core security framework can also be used to control access to URLs within the second domain.
  • the communications between the first domain and the second domain can be in a format compliant with SOAP and the security gatekeeper can intercept all data transmissions from the first domain to the second domain that are in the SOAP format.
  • the API invocation from the first domain can be a request to authenticate and authorize a user within the second domain seeking access to data within the first domain.
  • An alternative embodiment is a method of communicating between two independent computing domains.
  • the method can consist of the steps of a user within the first domain sending to the second domain a SOAP-compliant data request that also contains security-related information, a security gatekeeper within the second domain intercepting the data request, the security gatekeeper sending the data request to a core security framework within the second domain, the core security framework using the security-related information in the data request to authenticate the user and authorize the user to retrieve the requested data, the core security framework returning the data request to the security gatekeeper and informing the security gatekeeper that the user has been authenticated and authorized, the security gatekeeper sending the data request to a SOAP server and informing the SOAP server that the user has been authenticated and authorized, and the SOAP server providing the user with access to the requested data.
  • the same core security framework can also be used to control access to URLs within the second domain.
  • the data request can be a request for access to an API within the second domain.
  • Another alternative embodiment is a method for a user within a first enterprise to gain access to data within a second enterprise.
  • the method can consist of the user logging in to a secure computing domain within the first enterprise and requesting data from the second enterprise.
  • the first enterprise can add security information to the data request and send the data request and security information to the second enterprise.
  • a security gatekeeper within the second enterprise can intercept the security information and send it to a core security framework within the second enterprise.
  • the core security framework can approve or deny the user's access to the requested data based on the security information, and, upon approval, the second enterprise can send the requested data to the user.
  • the security information added to the data request can be the user ID and password that the user uses to log in to the secure computing domain within the first enterprise.
  • the security information added to the data request can be a token agreed upon by the two enterprises to designate a legitimate data request from the first enterprise to the second enterprise.
  • the data requests from the user and data returned to the user can be in a format compliant with SOAP.
  • the data request can consist of the selection of a hyperlink on a secure web site within the first enterprise that links to a secure web site hosted by the second enterprise.
  • a user within the second enterprise can seek access to data within the first enterprise.
  • the user can log on to a secure computing domain within the second enterprise and request data from the first enterprise.
  • the second enterprise can add security information to the data request and send the data request and security information to the first enterprise.
  • the first enterprise can then send the security information to the second enterprise.
  • a security gatekeeper within the second enterprise can intercept the security information and send it to a core security framework within the second enterprise.
  • the second enterprise's core security framework can then approve or deny the user's access to the requested data based on the security information.
  • the second enterprise can inform the first enterprise that the user is allowed access to the requested data and the first enterprise can send the requested data to the user.
  • the core security framework within the second enterprise can also be used to control access to URLs within the second enterprise.
  • FIG. 1 is a block diagram of a security proxy framework.
  • FIG. 2 is a block diagram of an authorization and authentication system incorporating a security gatekeeper.
  • FIG. 3 is a diagram of a typical, general-purpose computer system suitable for implementing the present invention.
  • Enterprises can create separate security frameworks for internal and external users.
  • Internal users wishing to access secure Uniform Resource Locators (URLs) within an enterprise might be authenticated and authorized by one set of policy servers and security data stores while external users wishing to access Application Programming Interfaces (APIs) within the enterprise might be authenticated and authorized by a different set of policy servers and security data stores.
  • Embodiments of the present invention provide a more efficient security mechanism in which a single security framework is used for the authentication and authorization of both internal and external users.
  • a suitable security framework for dealing with internal users is first described herein and then a description of how the framework can deal with external users is provided.
  • a security proxy can act as a bridge between applications and resources by providing a mapping between objects from different platforms and/or architectures.
  • a security proxy server is sometimes used to filter requests.
  • FIG. 1 depicts a typical security proxy framework.
  • the security proxy framework provides a method for bridging requests for access to resources between requestors in a distributed network and an authenticator servicing the distributed network. Requests for access can include requests to view, delete, add, or modify a resource.
  • the security proxy framework 300 has a three-tier design consisting of a front-end application layer, a middle-tier bridge component, and a back-end implementation layer.
  • the application layer comprises the application servers 140 , the generic security API calls 150 , and in theory includes the front-end piece of the bridging mechanism, the public Java interface 162 .
  • the middle-tier bridge (also referred to as the security proxy bridge 160 ) supplies the bridging mechanism within security proxy framework 300 .
  • Within the security proxy bridge 160 are a public interface to the application servers, such as public Java interface 162 , and a private interface, such as private CORBA interface 164 , that communicates with the back-end security framework functions.
  • the implementation layer refers to the back-end components where security decisions, such as policy decisions, are made.
  • the public side of the security proxy bridge 160 includes not only the front-end side of the bridge, the public Java interface 162 , that is accessed by the application servers 140 , but also the generic security API calls 150 .
  • the public side can be thought of as the side of the security proxy framework 300 involved with serving the public. That is, the public, or users, access the calling application servers 140 with their requests.
  • the private side of security proxy bridge 160 is the back-end side that functions to process the security requests. All API invocations 150 are intercepted by the public Java interface 162 within the security proxy bridge 160 , which in turn calls the appropriate back-end security functions. Accordingly, the applications are isolated from the back-end implementation details. Also, addition or removal of back-end functionality will have minimum code impact on the application layer. Therefore, the security framework design has flexibility to allow future security requirements to be integrated easily with minimal impact on the application code.
  • Private CORBA interface 164 of the security proxy bridge 160 contains a bridging mechanism that is coded using Common Object Request Broker Architecture (CORBA).
  • CORBA allows applications to communicate with one another no matter where they are located or who has designed them.
  • CORBA is utilized because of its performance, stability, capacity, and cross-platform capabilities.
  • CORBA also provides management, administration, and logging facilities.
  • CORBA performs well in a completely heterogeneous framework. Using CORBA one can go straight from a mainframe to a web server. One can, in fact, use CORBA to do router table updates if desired.
  • the security proxy bridge 160 provides an insulation layer in the overall security framework.
  • the application servers 140 such as personalized content servers, that sit behind the web servers 100 and 130 .
  • a security framework data store 10 On the other side is a security framework data store 10 .
  • the data store can be a relational database, a directory compliant with the Lightweight Directory Access Protocol (LDAP), or another suitable type of data store.
  • LDAP Lightweight Directory Access Protocol
  • a user logs on to web server 100 in order to access a web page.
  • Web agent 102 verifies the identity of the user and allows the user access to protected web server 130 .
  • Protected web server 130 then passes the request for access to the URL of the web page to an application server 140 .
  • the application server 140 makes an API call 150 to the front end of the security proxy bridge 160 .
  • the security proxy bridge 160 sends the request to the authentication policy server 120 and an authenticator within the authentication policy server 120 handles the request from that point onward.
  • An example of a suitable authenticator is SiteMinder, produced by Netegrity, Inc.
  • the authentication policy server 120 requests identification and authentication information regarding the requestor from security framework data store 10 and authenticates the identity of the requestor.
  • the authentication policy server 120 compares the authorization policy for the requestor with the requested resource and the requested access to the requested resource, and if the comparison is successful, the authentication policy server 120 authorizes the request.
  • the requests to the security proxy bridge 160 do not have to be changed. They will still make the same generic security API calls 150 . This adds flexibility to the security proxy framework 300 .
  • large enterprises tend to build data stores combining user data. They contain multiple types of user information, both security-related information (such as user ID, passwords, and security-related secret questions) and general account-related information (such as user account number, user address, user phone number, and user billing status).
  • security-related information such as user ID, passwords, and security-related secret questions
  • general account-related information such as user account number, user address, user phone number, and user billing status.
  • a large, heterogeneous user data store such as this not only handles the security-related user data, but it also handles any policy decision information and authentication functions. Advantages of having all data stored together depend on which authentication service is in place. Some authentication services operate more efficiently when all user data, including security-related information and general account-related information, is combined into one large, heterogeneous data store. Some authentication services might only be able to operate, for proprietary reasons, when all user data is combined into one large, heterogeneous data store.
  • a segregated security-related user data store provides the ability to have a focused, optimized security data store that limits control and hardens it from a security standpoint.
  • the above-described security proxy framework is suitable for the authentication and authorization of users internal to an enterprise.
  • the same security proxy framework can be used for the authentication and authorization of external users. More specifically, the same security framework that controls the access of internal users to internal URLs is used to control the access of external users to internal APIs.
  • the reuse of the existing security proxy framework is a more efficient use of security resources than creation and maintenance of separate security frameworks for internal and external users.
  • two enterprises might enter an agreement in which the first enterprise is allowed access to the APIs within the second enterprise.
  • the second enterprise can provide the first enterprise with direct access to data stores, mainframe computing systems, and other components of a data tier within the second enterprise.
  • the first enterprise or computing domain sends a request to the second enterprise or computing domain for secure data within the second enterprise
  • the second enterprise typically reviews the security information (such as a user ID and a password) provided by the first enterprise and determines if the first enterprise is authorized to receive the requested data.
  • the second enterprise might request the security information and authenticate and authorize the first enterprise each time the first enterprise requests secure data.
  • the second enterprise might request the security information and authenticate and authorize the first enterprise only one time and then create a session token that allows the first enterprise access to selected data for the duration of a session.
  • An embodiment of a system and method for allowing session-based access such as this is shown in FIG. 2 .
  • elements of the security proxy framework described above and illustrated in FIG. 1 are used.
  • the session-based access process begins when a member of a first enterprise, shown in FIG. 2 as outside user 210 , requests data from a second enterprise.
  • the data request would typically be a call to an API within the second enterprise and would typically be in a format such as XML or SOAP (Simple Object Access Protocol).
  • SOAP Simple Object Access Protocol
  • the most recent version of the SOAP protocol can be found in the W3C Working Draft of the SOAP version 1.2 specification, which is incorporated herein by reference.
  • the data request would also typically include security information regarding the outside user 210 .
  • a security gatekeeper 220 within the second enterprise intercepts the data request and passes the data request and security information to a core security framework 250 .
  • the core security framework 250 typically comprises an authentication policy server 120 , a security data store 10 , and a main policy store 125 .
  • Policies regarding the criteria needed to create a session, session durations, the types of data that can be retrieved during a session, and other session-related parameters can be stored in the data store 10 or the main policy store 125 .
  • the authentication policy server 120 Upon receiving security information from the security gatekeeper 220 , the authentication policy server 120 calls its security data store 10 to check authentication and policy information on outside user 210 .
  • the data store 10 returns data regarding the authenticity and authority of the outside user 210 to the authentication policy server 120 .
  • the authentication policy server 120 decides if the outside user 210 is authentic and is authorized to receive the requested data.
  • the authentication policy server 120 creates a session token, attaches it to the data request, and returns its decision to the security gatekeeper 220 .
  • the security gatekeeper 220 then informs an access server that the outside user 210 is allowed to have the requested information.
  • the access server is a SOAP server 230 but other types of application servers that perform similar functions could be used.
  • the SOAP server 230 requests the data from a data tier 240 .
  • the data tier typically includes data storage and computing components such as relational databases, data directories, and mainframe computing systems.
  • the data tier 240 returns the requested data to the SOAP server 230 and the SOAP server 230 returns the data to the outside user 210 .
  • the SOAP server 230 is allowed to transfer data directly from the data tier 240 to the outside user 210 without the need for further authentication and authorization or further intervention from the security gatekeeper 220 or the authentication policy server 120 .
  • the core security framework 250 controls the access outside users 210 are allowed to have to the APIs within the second enterprise. As discussed above, the core security framework 250 also controls the access web servers 100 are allowed to have to URLs within the second enterprise. Thus, the same core security framework provides both API protection and URL protection.
  • the use of the existing authentication and authorization mechanisms within the security proxy framework reduces the effort and infrastructure needed to deal with outside users. Instead of creating new policies and new data stores to handle outside users and placing the policies and data stores on dedicated servers, an enterprise can simply add outside users to existing policies, data stores, and servers.
  • a security gatekeeper and a core security framework can be used to allow an enterprise to bypass the login screen typically displayed when an attempt is made to reach a secure web site within another enterprise.
  • a first, or external, enterprise as described above attempts to reach a secure web site within a second enterprise containing a security gatekeeper and a core security framework as described above.
  • a user logged on to a secure web site hosted by the first enterprise might select a hyperlink that links to a secure web site hosted by the second enterprise.
  • the second enterprise would present the user with a login page that requests security information to verify that the user is allowed access to the second enterprise's secure web site.
  • the two enterprises might wish to enter an arrangement in which this login page is bypassed and the user is taken directly to the requested web site.
  • This can be accomplished by the two enterprises having pre-arranged policies that allow security information to be transmitted from the first enterprise to the second enterprise when certain hyperlinks from the first enterprise to the second enterprise are selected.
  • the first enterprise can add security information to the request for access to the secure web site and then send both the access request and the security information to the second enterprise.
  • the security gatekeeper within the second enterprise can intercept the security information and send the security information to the core security framework.
  • the core security framework can then approve or deny the user's access to the secure web site based on the security information. If access is allowed, the user can be taken directly to the web site, bypassing the second enterprise's normal login page.
  • a user within the second enterprise attempts to reach a secure web site within the first, or external, enterprise.
  • a user logged on to a secure web site hosted by the second enterprise might select a hyperlink that links to a secure web site hosted by the first enterprise.
  • the second enterprise can add security information to the request for access to the secure web site and then send both the access request and the security information to the first enterprise.
  • the first enterprise can then send the security information to the second enterprise.
  • the security gatekeeper within the second enterprise can intercept the security information and send the security information to the core security framework.
  • the core security framework can then approve or deny the user's access to the secure web site based on the security information.
  • the second enterprise can inform the first enterprise that the user is allowed access to the secure web site. The user can then be taken directly to the web site, bypassing the first enterprise's normal login page.
  • the security information sent from one enterprise to the other enterprise can be a user ID and password or other information pertaining to the specific user making the request.
  • the security information a user submits when logging on to a web site within one enterprise can be used to automatically log the user on to a web site within the other enterprise and bypass the other enterprise's login page.
  • the security information can be a token that the two enterprises have mutually agreed one enterprise will send when it requests access to certain web sites within the other enterprise. If the first enterprise is seeking access to a secure web site within the second enterprise, the first enterprise sends the access request and token to the second enterprise. The security gatekeeper within the second enterprise intercepts the token and sends it to the core security framework.
  • the core security framework verifies that the token is legitimate and displays the requested web site to the user without the display of a login page. If the second enterprise is seeking access to a secure web site within the first enterprise, the second enterprise sends the access request and token to the first enterprise, which then sends the token to the second enterprise. The security gatekeeper within the second enterprise intercepts the token and sends it to the core security framework. The core security framework verifies that the token is legitimate and the second enterprise informs the first enterprise that the user is allowed access to the first enterprise's web site. The first enterprise then displays the requested web site to the user without the display of a login page.
  • the use of a token can allow multiple users in one enterprise to have direct access to web sites within the other enterprise without the need to verify the security credentials of each of the users individually.
  • FIG. 3 illustrates a typical, general-purpose computer system suitable for implementing the present invention.
  • the computer system 1330 includes a processor 1332 (also referred to as a central processing unit or CPU) that is coupled to memory devices including primary storage devices 1336 (typically a read only memory, or ROM) and primary storage devices 1334 (typically a random access memory or RAM).
  • primary storage devices 1336 typically a read only memory, or ROM
  • primary storage devices 1334 typically a random access memory or RAM
  • ROM acts to transfer data and instructions uni-directionally to CPU 1332
  • RAM is used typically to transfer data and instructions in a bi-directional manner.
  • Both storage devices 1334 and 1336 may include any suitable computer-readable media.
  • a secondary storage medium 1338 which is typically a mass memory device, is also coupled bi-directionally to CPU 1332 and provides additional data storage capacity.
  • the mass memory device 1338 is a computer-readable medium that may be used to store programs including computer code, data, and the like.
  • mass memory device 1338 is a storage medium such as a non-volatile memory such as a hard disk or a tape which is generally slower than primary storage devices 1334 and 1336 .
  • Mass memory storage device 1338 may take the form of a magnetic or paper tape reader or some other well-known device. It will be appreciated that the information retained within the mass memory device 1338 may, in appropriate cases, be incorporated in standard fashion as part of RAM 1336 as virtual memory. A specific primary storage device 1334 such as a CD-ROM may also pass data uni-directionally to the CPU 1332 .
  • CPU 1332 is also coupled to one or more input/output devices 1340 that may include, but are not limited to, devices such as video monitors, track balls, mice, keyboards, microphones, touch-sensitive displays, transducer card readers, magnetic or paper tape readers, tablets, styluses, voice or handwriting recognizers, or other well-known input devices such as, of course, other computers.
  • CPU 1332 optionally may be coupled to a computer or telecommunications network, e.g., an internet network, or an intranet network, using a network connection as shown generally at 1312 . With such a network connection, it is contemplated that CPU 1332 might receive information from the network, or might output information to the network in the course of performing the above-described method steps.
  • Such information which is often represented as a sequence of instructions to be executed using CPU 1332 , may be received from and outputted to the network, for example, in the form of a computer data signal embodied in a carrier wave.
  • the above-described devices and materials will be familiar to those of skill in the computer hardware and software arts.
  • sequences of instructions may be executed substantially simultaneously on multiple CPUs, as for example a CPU in communication across network connections.
  • the above-described method steps may be performed across a computer network.
  • the above method steps may be recognized as sets of computer codes and that such computer codes are typically stored in computer readable media such as RAM, ROM, hard discs, floppy discs, carrier waves, and the like.

Abstract

A system for controlling access to computing resources within an enterprise. The system can consist of a web server and a web security agent controlling access to URLs, a security gatekeeper and an access server controlling access to APIs, and a core security framework used by both the web server and web security agent and the security gatekeeper and access server to store security data and policies and make security decisions. The access server can be a SOAP server. The core security framework can consist of a policy store, a data store, and a policy server, where the data store can be a relational database or a directory. A session token can be attached to an approved request for access to an API and can provide access to the API for the duration of a session.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS
None.
STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENT
Not applicable.
REFERENCE TO A MICROFICHE APPENDIX
Not applicable.
FIELD OF THE INVENTION
The present invention relates to the authentication and authorization of users of computer systems. More particularly, embodiments of the present invention use an enterprise's internal security systems to authenticate and authorize users outside the enterprise.
BACKGROUND OF THE INVENTION
A first enterprise interacting with a second enterprise may need to request access to the second enterprise's data. In such a situation, the second enterprise would typically require that the first enterprise be authenticated and authorized by a security mechanism within the second enterprise. The second enterprise might have servers, software, and data stores dedicated solely to the authentication and authorization of such outside users. Other servers, software, and data stores within the second enterprise may be dedicated to the authentication and authorization of internal users.
SUMMARY OF THE INVENTION
An embodiment of the invention is a system for controlling access to computing resources within an enterprise. The system can consist of a web server and a web security agent controlling access to Uniform Resource Locators (URLs), a security gatekeeper and an access server controlling access to Application Programming Interfaces (APIs), and a core security framework used by both the web server and web security agent and the security gatekeeper and access server to store security data and policies and approve or deny requests for access to URLs and APIs. The access server can be a Standard Object Access Protocol (SOAP) server. The core security framework can consist of a policy store, a data store, and a policy server, where the data store can be a relational database or a directory. Upon the core security framework approving a request for access to an API, the core security framework can create a session token and attach the session token to the approved request. The session token can provide access to the API for the duration of a session.
An alternative embodiment is a system for communication between two independent computing domains. The system can consist of a security gatekeeper within the second domain, a core security framework coupled to the security gatekeeper, and an access server coupled to the security gatekeeper. The security gatekeeper can intercept an invocation from the first domain to an API in the second domain and can send security-related information in the invocation to the core security framework. The core security framework can authenticate the entity making the invocation and authorize the entity to invoke the API. The core security framework can then inform the security gatekeeper that the entity making the invocation has been authenticated and authorized. The security gatekeeper can then inform the access server that the entity making the invocation has been authenticated and authorized and the access server can provide the entity making the invocation with access to the API. The same core security framework can also be used to control access to URLs within the second domain. The communications between the first domain and the second domain can be in a format compliant with SOAP and the security gatekeeper can intercept all data transmissions from the first domain to the second domain that are in the SOAP format. The API invocation from the first domain can be a request to authenticate and authorize a user within the second domain seeking access to data within the first domain.
An alternative embodiment is a method of communicating between two independent computing domains. The method can consist of the steps of a user within the first domain sending to the second domain a SOAP-compliant data request that also contains security-related information, a security gatekeeper within the second domain intercepting the data request, the security gatekeeper sending the data request to a core security framework within the second domain, the core security framework using the security-related information in the data request to authenticate the user and authorize the user to retrieve the requested data, the core security framework returning the data request to the security gatekeeper and informing the security gatekeeper that the user has been authenticated and authorized, the security gatekeeper sending the data request to a SOAP server and informing the SOAP server that the user has been authenticated and authorized, and the SOAP server providing the user with access to the requested data. The same core security framework can also be used to control access to URLs within the second domain. The data request can be a request for access to an API within the second domain.
Another alternative embodiment is a method for a user within a first enterprise to gain access to data within a second enterprise. The method can consist of the user logging in to a secure computing domain within the first enterprise and requesting data from the second enterprise. The first enterprise can add security information to the data request and send the data request and security information to the second enterprise. A security gatekeeper within the second enterprise can intercept the security information and send it to a core security framework within the second enterprise. The core security framework can approve or deny the user's access to the requested data based on the security information, and, upon approval, the second enterprise can send the requested data to the user. The security information added to the data request can be the user ID and password that the user uses to log in to the secure computing domain within the first enterprise. Alternatively, the security information added to the data request can be a token agreed upon by the two enterprises to designate a legitimate data request from the first enterprise to the second enterprise. The data requests from the user and data returned to the user can be in a format compliant with SOAP. The data request can consist of the selection of a hyperlink on a secure web site within the first enterprise that links to a secure web site hosted by the second enterprise.
In another alternative embodiment, a user within the second enterprise can seek access to data within the first enterprise. The user can log on to a secure computing domain within the second enterprise and request data from the first enterprise. The second enterprise can add security information to the data request and send the data request and security information to the first enterprise. The first enterprise can then send the security information to the second enterprise. A security gatekeeper within the second enterprise can intercept the security information and send it to a core security framework within the second enterprise. The second enterprise's core security framework can then approve or deny the user's access to the requested data based on the security information. Upon approval, the second enterprise can inform the first enterprise that the user is allowed access to the requested data and the first enterprise can send the requested data to the user. The core security framework within the second enterprise can also be used to control access to URLs within the second enterprise.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a block diagram of a security proxy framework.
FIG. 2 is a block diagram of an authorization and authentication system incorporating a security gatekeeper.
FIG. 3 is a diagram of a typical, general-purpose computer system suitable for implementing the present invention.
 DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
Users of computer systems within an enterprise (employees) and external users (customers) sometimes need access to the enterprise's data. Many enterprises have responded by placing applications and information on networks. This can provide easy, efficient access to users both inside and outside the enterprise but can expose the network and data resources to attack. Therefore, it is desirable to find secure data traffic management solutions that protect resources from unauthorized access. The degree of security placed on these resources may vary depending on the sensitivity of content and the intended user community. The challenge is to implement a secure integrated access control environment while simultaneously supporting multiple authentication and authorization mechanisms and appropriate session controls. Security management can be centralized to ease management of large numbers of user privileges and entitlements across various applications and platforms. This can be implemented by establishing a security framework within the enterprise's network. Components of such a framework can include data stores for security information, policy servers for making authentication and authorization decisions, and application servers to act as interfaces between the security framework and internal and external users.
Enterprises can create separate security frameworks for internal and external users. Internal users wishing to access secure Uniform Resource Locators (URLs) within an enterprise might be authenticated and authorized by one set of policy servers and security data stores while external users wishing to access Application Programming Interfaces (APIs) within the enterprise might be authenticated and authorized by a different set of policy servers and security data stores. Embodiments of the present invention provide a more efficient security mechanism in which a single security framework is used for the authentication and authorization of both internal and external users. A suitable security framework for dealing with internal users is first described herein and then a description of how the framework can deal with external users is provided.
In an embodiment of an internal security framework, a security proxy can act as a bridge between applications and resources by providing a mapping between objects from different platforms and/or architectures. A security proxy server is sometimes used to filter requests. For example, a company could use a proxy server to prevent its employees from accessing a specific set of protected web sites. FIG. 1 depicts a typical security proxy framework. The security proxy framework provides a method for bridging requests for access to resources between requestors in a distributed network and an authenticator servicing the distributed network. Requests for access can include requests to view, delete, add, or modify a resource. The security proxy framework 300 has a three-tier design consisting of a front-end application layer, a middle-tier bridge component, and a back-end implementation layer. The application layer comprises the application servers 140, the generic security API calls 150, and in theory includes the front-end piece of the bridging mechanism, the public Java interface 162. The middle-tier bridge (also referred to as the security proxy bridge 160) supplies the bridging mechanism within security proxy framework 300. Within the security proxy bridge 160 are a public interface to the application servers, such as public Java interface 162, and a private interface, such as private CORBA interface 164, that communicates with the back-end security framework functions. The implementation layer refers to the back-end components where security decisions, such as policy decisions, are made.
The public side of the security proxy bridge 160 includes not only the front-end side of the bridge, the public Java interface 162, that is accessed by the application servers 140, but also the generic security API calls 150. The public side can be thought of as the side of the security proxy framework 300 involved with serving the public. That is, the public, or users, access the calling application servers 140 with their requests. The private side of security proxy bridge 160 is the back-end side that functions to process the security requests. All API invocations 150 are intercepted by the public Java interface 162 within the security proxy bridge 160, which in turn calls the appropriate back-end security functions. Accordingly, the applications are isolated from the back-end implementation details. Also, addition or removal of back-end functionality will have minimum code impact on the application layer. Therefore, the security framework design has flexibility to allow future security requirements to be integrated easily with minimal impact on the application code.
Private CORBA interface 164 of the security proxy bridge 160 contains a bridging mechanism that is coded using Common Object Request Broker Architecture (CORBA). CORBA allows applications to communicate with one another no matter where they are located or who has designed them. CORBA is utilized because of its performance, stability, capacity, and cross-platform capabilities. CORBA also provides management, administration, and logging facilities. CORBA performs well in a completely heterogeneous framework. Using CORBA one can go straight from a mainframe to a web server. One can, in fact, use CORBA to do router table updates if desired.
The security proxy bridge 160 provides an insulation layer in the overall security framework. On one side of the security proxy are the application servers 140, such as personalized content servers, that sit behind the web servers 100 and 130. On the other side is a security framework data store 10. The data store can be a relational database, a directory compliant with the Lightweight Directory Access Protocol (LDAP), or another suitable type of data store.
In a typical sequence of events, a user logs on to web server 100 in order to access a web page. Web agent 102 verifies the identity of the user and allows the user access to protected web server 130. Protected web server 130 then passes the request for access to the URL of the web page to an application server 140. The application server 140 makes an API call 150 to the front end of the security proxy bridge 160. The security proxy bridge 160 sends the request to the authentication policy server 120 and an authenticator within the authentication policy server 120 handles the request from that point onward. An example of a suitable authenticator is SiteMinder, produced by Netegrity, Inc. The authentication policy server 120 requests identification and authentication information regarding the requestor from security framework data store 10 and authenticates the identity of the requestor. The authentication policy server 120 then compares the authorization policy for the requestor with the requested resource and the requested access to the requested resource, and if the comparison is successful, the authentication policy server 120 authorizes the request.
If the authentication policy server 120 is replaced at some point in the future, the requests to the security proxy bridge 160 do not have to be changed. They will still make the same generic security API calls 150. This adds flexibility to the security proxy framework 300.
Typically, large enterprises tend to build data stores combining user data. They contain multiple types of user information, both security-related information (such as user ID, passwords, and security-related secret questions) and general account-related information (such as user account number, user address, user phone number, and user billing status). A large, heterogeneous user data store such as this not only handles the security-related user data, but it also handles any policy decision information and authentication functions. Advantages of having all data stored together depend on which authentication service is in place. Some authentication services operate more efficiently when all user data, including security-related information and general account-related information, is combined into one large, heterogeneous data store. Some authentication services might only be able to operate, for proprietary reasons, when all user data is combined into one large, heterogeneous data store.
However, for some, having one large, heterogeneous user data store can create a security problem in that restricted information is mixed in with general account-related information. Then various applications requiring only general account-related information could access the user data store that also contains the restricted information, thereby creating a potential security risk. Fortunately, some authentication services allow for more flexibility as to how the data is stored than those already mentioned.
It can be a desirable feature in a security framework data storage scheme to have a completely separate security-related user data store that deals only with security-related information. Having a security-related user data store can more easily restrict users through the use of routers, security proxies, APIs, etc. Furthermore, separating security-related user information from general account-related information enables modifications to be made to either data store without affecting the other data store. From a security aspect, one can give an application the ability to allow authorized users to make changes to the security-related user data store without having to give the same authorization to all of the applications that might need access to a general store. Hence, fewer applications and/or machines will need to be provided access and more can be screened away by hardening methods. A segregated security-related user data store provides the ability to have a focused, optimized security data store that limits control and hardens it from a security standpoint.
The above-described security proxy framework is suitable for the authentication and authorization of users internal to an enterprise. In an embodiment of the invention, the same security proxy framework can be used for the authentication and authorization of external users. More specifically, the same security framework that controls the access of internal users to internal URLs is used to control the access of external users to internal APIs. The reuse of the existing security proxy framework is a more efficient use of security resources than creation and maintenance of separate security frameworks for internal and external users.
In an example of an external user requesting access to data within another enterprise, two enterprises might enter an agreement in which the first enterprise is allowed access to the APIs within the second enterprise. By exposing its internal APIs, the second enterprise can provide the first enterprise with direct access to data stores, mainframe computing systems, and other components of a data tier within the second enterprise. When the first enterprise or computing domain sends a request to the second enterprise or computing domain for secure data within the second enterprise, the second enterprise typically reviews the security information (such as a user ID and a password) provided by the first enterprise and determines if the first enterprise is authorized to receive the requested data. The second enterprise might request the security information and authenticate and authorize the first enterprise each time the first enterprise requests secure data. Alternatively, the second enterprise might request the security information and authenticate and authorize the first enterprise only one time and then create a session token that allows the first enterprise access to selected data for the duration of a session. An embodiment of a system and method for allowing session-based access such as this is shown in FIG. 2. In this embodiment, elements of the security proxy framework described above and illustrated in FIG. 1 are used.
The session-based access process begins when a member of a first enterprise, shown in FIG. 2 as outside user 210, requests data from a second enterprise. The data request would typically be a call to an API within the second enterprise and would typically be in a format such as XML or SOAP (Simple Object Access Protocol). The most recent version of the SOAP protocol can be found in the W3C Working Draft of the SOAP version 1.2 specification, which is incorporated herein by reference. In addition to specifying the data that is needed, the data request would also typically include security information regarding the outside user 210. A security gatekeeper 220 within the second enterprise intercepts the data request and passes the data request and security information to a core security framework 250. The core security framework 250 typically comprises an authentication policy server 120, a security data store 10, and a main policy store 125. Policies regarding the criteria needed to create a session, session durations, the types of data that can be retrieved during a session, and other session-related parameters can be stored in the data store 10 or the main policy store 125. Upon receiving security information from the security gatekeeper 220, the authentication policy server 120 calls its security data store 10 to check authentication and policy information on outside user 210. The data store 10 returns data regarding the authenticity and authority of the outside user 210 to the authentication policy server 120. The authentication policy server 120 then decides if the outside user 210 is authentic and is authorized to receive the requested data. If the outside user 210 is authorized, the authentication policy server 120 creates a session token, attaches it to the data request, and returns its decision to the security gatekeeper 220. The security gatekeeper 220 then informs an access server that the outside user 210 is allowed to have the requested information. In the embodiment of FIG. 2, the access server is a SOAP server 230 but other types of application servers that perform similar functions could be used. Upon being informed by the security gatekeeper 220 that the outside user 210 is authorized to receive the requested data, the SOAP server 230 requests the data from a data tier 240. The data tier typically includes data storage and computing components such as relational databases, data directories, and mainframe computing systems. The data tier 240 returns the requested data to the SOAP server 230 and the SOAP server 230 returns the data to the outside user 210. As long as the session token allows the session to remain active, the SOAP server 230 is allowed to transfer data directly from the data tier 240 to the outside user 210 without the need for further authentication and authorization or further intervention from the security gatekeeper 220 or the authentication policy server 120.
Under this arrangement, the core security framework 250 controls the access outside users 210 are allowed to have to the APIs within the second enterprise. As discussed above, the core security framework 250 also controls the access web servers 100 are allowed to have to URLs within the second enterprise. Thus, the same core security framework provides both API protection and URL protection. The use of the existing authentication and authorization mechanisms within the security proxy framework reduces the effort and infrastructure needed to deal with outside users. Instead of creating new policies and new data stores to handle outside users and placing the policies and data stores on dedicated servers, an enterprise can simply add outside users to existing policies, data stores, and servers.
In an alternative embodiment, a security gatekeeper and a core security framework can be used to allow an enterprise to bypass the login screen typically displayed when an attempt is made to reach a secure web site within another enterprise. Two alternatives exist under this embodiment. In one, a first, or external, enterprise as described above attempts to reach a secure web site within a second enterprise containing a security gatekeeper and a core security framework as described above. In this case, a user logged on to a secure web site hosted by the first enterprise might select a hyperlink that links to a secure web site hosted by the second enterprise. Traditionally, the second enterprise would present the user with a login page that requests security information to verify that the user is allowed access to the second enterprise's secure web site. However, the two enterprises might wish to enter an arrangement in which this login page is bypassed and the user is taken directly to the requested web site. This can be accomplished by the two enterprises having pre-arranged policies that allow security information to be transmitted from the first enterprise to the second enterprise when certain hyperlinks from the first enterprise to the second enterprise are selected. When a user within the first enterprise selects one of these hyperlinks, the first enterprise can add security information to the request for access to the secure web site and then send both the access request and the security information to the second enterprise. The security gatekeeper within the second enterprise can intercept the security information and send the security information to the core security framework. The core security framework can then approve or deny the user's access to the secure web site based on the security information. If access is allowed, the user can be taken directly to the web site, bypassing the second enterprise's normal login page.
In the other alternative, a user within the second enterprise, which contains the security gatekeeper and the core security framework, attempts to reach a secure web site within the first, or external, enterprise. In this case, a user logged on to a secure web site hosted by the second enterprise might select a hyperlink that links to a secure web site hosted by the first enterprise. The second enterprise can add security information to the request for access to the secure web site and then send both the access request and the security information to the first enterprise. The first enterprise can then send the security information to the second enterprise. The security gatekeeper within the second enterprise can intercept the security information and send the security information to the core security framework. The core security framework can then approve or deny the user's access to the secure web site based on the security information. Upon approval, the second enterprise can inform the first enterprise that the user is allowed access to the secure web site. The user can then be taken directly to the web site, bypassing the first enterprise's normal login page.
In either of the alternatives, the security information sent from one enterprise to the other enterprise can be a user ID and password or other information pertaining to the specific user making the request. In this way, the security information a user submits when logging on to a web site within one enterprise can be used to automatically log the user on to a web site within the other enterprise and bypass the other enterprise's login page. Alternatively, the security information can be a token that the two enterprises have mutually agreed one enterprise will send when it requests access to certain web sites within the other enterprise. If the first enterprise is seeking access to a secure web site within the second enterprise, the first enterprise sends the access request and token to the second enterprise. The security gatekeeper within the second enterprise intercepts the token and sends it to the core security framework. The core security framework verifies that the token is legitimate and displays the requested web site to the user without the display of a login page. If the second enterprise is seeking access to a secure web site within the first enterprise, the second enterprise sends the access request and token to the first enterprise, which then sends the token to the second enterprise. The security gatekeeper within the second enterprise intercepts the token and sends it to the core security framework. The core security framework verifies that the token is legitimate and the second enterprise informs the first enterprise that the user is allowed access to the first enterprise's web site. The first enterprise then displays the requested web site to the user without the display of a login page. The use of a token can allow multiple users in one enterprise to have direct access to web sites within the other enterprise without the need to verify the security credentials of each of the users individually.
An authentication and authorization system as described above may generally be implemented on a variety of different computer systems. FIG. 3 illustrates a typical, general-purpose computer system suitable for implementing the present invention. The computer system 1330 includes a processor 1332 (also referred to as a central processing unit or CPU) that is coupled to memory devices including primary storage devices 1336 (typically a read only memory, or ROM) and primary storage devices 1334 (typically a random access memory or RAM).
As is well known in the art, ROM acts to transfer data and instructions uni-directionally to CPU 1332, while RAM is used typically to transfer data and instructions in a bi-directional manner. Both storage devices 1334 and 1336 may include any suitable computer-readable media. A secondary storage medium 1338, which is typically a mass memory device, is also coupled bi-directionally to CPU 1332 and provides additional data storage capacity. The mass memory device 1338 is a computer-readable medium that may be used to store programs including computer code, data, and the like. Typically, mass memory device 1338 is a storage medium such as a non-volatile memory such as a hard disk or a tape which is generally slower than primary storage devices 1334 and 1336. Mass memory storage device 1338 may take the form of a magnetic or paper tape reader or some other well-known device. It will be appreciated that the information retained within the mass memory device 1338 may, in appropriate cases, be incorporated in standard fashion as part of RAM 1336 as virtual memory. A specific primary storage device 1334 such as a CD-ROM may also pass data uni-directionally to the CPU 1332.
CPU 1332 is also coupled to one or more input/output devices 1340 that may include, but are not limited to, devices such as video monitors, track balls, mice, keyboards, microphones, touch-sensitive displays, transducer card readers, magnetic or paper tape readers, tablets, styluses, voice or handwriting recognizers, or other well-known input devices such as, of course, other computers. Finally, CPU 1332 optionally may be coupled to a computer or telecommunications network, e.g., an internet network, or an intranet network, using a network connection as shown generally at 1312. With such a network connection, it is contemplated that CPU 1332 might receive information from the network, or might output information to the network in the course of performing the above-described method steps. Such information, which is often represented as a sequence of instructions to be executed using CPU 1332, may be received from and outputted to the network, for example, in the form of a computer data signal embodied in a carrier wave. The above-described devices and materials will be familiar to those of skill in the computer hardware and software arts.
In one embodiment, sequences of instructions may be executed substantially simultaneously on multiple CPUs, as for example a CPU in communication across network connections. Specifically, the above-described method steps may be performed across a computer network. Additionally, it will be recognized by one of skill in the art that the above method steps may be recognized as sets of computer codes and that such computer codes are typically stored in computer readable media such as RAM, ROM, hard discs, floppy discs, carrier waves, and the like.
Although only a few embodiments of the present invention have been described, it should be understood that the present invention may be embodied in many other specific forms without departing from the spirit or the scope of the present invention. The present examples are to be considered as illustrative and not restrictive, and the invention is not to be limited to the details given herein, but may be modified within the scope of the appended claims along with their full scope of equivalents.

Claims (34)

1. A system for controlling access to computing resources within an enterprise comprising:
a web server and a web security agent controlling access to Uniform Resource Locators (URLs);
a security gatekeeper and an access server controlling access to Application Programming Interfaces (APIs); and
a core security framework used by both the web server and web security agent and by both the security gatekeeper and the access server to store security data and policies and approve or deny requests for access to URLs and APIs, wherein the security gatekeeper sends a data request made by a user with security related information to the core security framework to authenticate the user and to authorize the user, wherein the core security framework informs the security gatekeeper whether the user has been authenticated and authorized, wherein the security gate keeper forwards the data request to the access server when the security gate keeper is informed that the user has been authenticated and authorized, the access server provides the user with the requested data.
2. The system of claim 1 wherein the access server is a Standard Object Access Protocol (SOAP) server.
3. The system of claim 1 wherein the core security framework comprises a policy store, a data store, and a policy server.
4. The system of claim 3 wherein the data store is a relational database.
5. The system of claim 3 wherein the data store is a directory.
6. The system of claim 1 wherein, upon the core security framework approving a request for access to an API, the core security framework creates a session token and attaches the session token to the approved request, the session token providing access to the API for the duration of a session.
7. A system for communication between two independent computing domains comprising:
a security gatekeeper within the second domain to intercept an invocation from the first domain to an API in the second domain;
a core security framework coupled to the security gatekeeper wherein the security gatekeeper sends security-related information in the invocation to the core security framework, the core security framework authenticates an entity making the invocation and authorizes the entity to invoke the API, and the core security framework informs the security gatekeeper that the entity making the invocation has been authenticated and authorized; and
an access server coupled to the security gatekeeper wherein the security gatekeeper informs the access server that the entity making the invocation has been authenticated and authorized and the access server provides the entity making the invocation with access to the API;
wherein the core security framework is also used to control access to URLs within the second domain.
8. The system of claim 7 wherein the core security framework comprises a policy store, a data store, and a policy server.
9. The system of claim 8 wherein the data store is a relational database.
10. The system of claim 8 wherein the data store is a directory.
11. The system of claim 7 wherein a session token is created that provides an entity invoking an API with access to the API for the duration of a session.
12. The system of claim 7 wherein communications between the first domain and the second domain are in a format compliant with SOAP.
13. The system of claim 12 wherein the security gatekeeper intercepts all data transmissions from the first domain to the second domain that are in the SOAP format.
14. The system of claim 7 wherein the API invocation from the first domain is a request to authenticate and authorize a user within the second domain seeking access to data within the first domain.
15. A method of communicating between two independent computing domains comprising:
a user within the first domain sending to the second domain a SOAP-compliant data request that also contains security-related information;
a security gatekeeper within the second domain intercepting the data request;
the security gatekeeper sending the data request to a core security framework within the second domain;
the core security framework using the security-related information in the data request to authenticate the user and authorize the user to retrieve the requested data;
the core security framework returning the data request to the security gatekeeper and informing the security gatekeeper that the user has been authenticated and authorized;
the security gatekeeper sending the data request to a SOAP server and informing the SOAP server that the user has been authenticated and authorized; and
the SOAP server providing the user with access to the requested data;
wherein the core security framework is also used to control access to URLs within the second domain.
16. The method of claim 15 wherein the data request is a request for access to an API within the second domain.
17. The method of claim 15 wherein the core security framework comprises a policy store, a data store, and a policy server.
18. The method of claim 17 wherein the data store is a relational database.
19. The method of claim 17 wherein the data store is a directory.
20. The method of claim 15 wherein a session token is created that provides the user with access to the requested data for the duration of the session.
21. The method of claim 15 wherein data requests from the user and data returned to the user are in a format compliant with SOAP.
22. The method of claim 21 wherein all data transmissions from the first domain to the second domain that are in the SOAP format are intercepted by the security gatekeeper.
23. The method of claim 15 wherein the data request from the first domain is a request to authenticate and authorize a user within the second domain seeking access to data within the first domain.
24. A method for a user within a first enterprise to gain access to data within a second enterprise comprising:
the user logging in to a secure computing domain within the first enterprise;
the user requesting data from the second enterprise;
the first enterprise adding security information to the data request and sending the data request and security information to the second enterprise;
a security gatekeeper within the second enterprise intercepting the security information;
the security gatekeeper sending the security information to a core security framework within the second enterprise;
the second enterprise's core security framework approving or denying the user's access to the requested data based on the security information; and
upon approval, the second enterprise sending the requested data to the user.
25. The method of claim 24 wherein the security information added to the data request is the user ID and password used by the user to log in to the secure computing domain within the first enterprise.
26. The method of claim 24 wherein the security information added to the data request is a token agreed upon by the two enterprises to designate a legitimate data request from the first enterprise to the second enterprise.
27. The method of claim 24 wherein data requests from the user and data returned to the user are in a format compliant with SOAP.
28. The method of claim 24 wherein the data request comprises the selection of a hyperlink on a secure web site within the first enterprise that links to a secure web site hosted by the second enterprise.
29. A method for a user within a second enterprise to gain access to data within a first enterprise comprising:
the user logging in to a secure computing domain within the second enterprise;
the user requesting data from the first enterprise;
the second enterprise adding security information to the data request and sending the data request and security information to the first enterprise;
the first enterprise sending the security information to the second enterprise;
a security gatekeeper within the second enterprise intercepting the security information;
the security gatekeeper sending the security information to a core security framework within the second enterprise;
the second enterprise's core security framework approving or denying the user's access to the requested data based on the security information;
upon approval, the second enterprise informing the first enterprise that the user is allowed access to the requested data; and
the first enterprise sending the requested data to the user.
30. The method of claim 29 wherein the security information added to the data request is the user ID and password used by the user to log in to the secure computing domain within the second enterprise.
31. The method of claim 29 wherein the security information added to the data request is a token agreed upon by the two enterprises to designate a legitimate data request from the second enterprise to the first enterprise.
32. The method of claim 29 wherein data requests from the user and data returned to the user are in a format compliant with SOAP.
33. The method of claim 29 wherein the core security framework is also used to control access to URLs within the second enterprise.
34. The method of claim 29 wherein the data request comprises the selection of a hyperlink on a secure web site within the second enterprise that links to a secure web site hosted by the first enterprise.
US10/631,984 2003-07-31 2003-07-31 Business-to-business security integration Active 2026-03-28 US7334254B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10/631,984 US7334254B1 (en) 2003-07-31 2003-07-31 Business-to-business security integration

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US10/631,984 US7334254B1 (en) 2003-07-31 2003-07-31 Business-to-business security integration

Publications (1)

Publication Number Publication Date
US7334254B1 true US7334254B1 (en) 2008-02-19

Family

ID=39059608

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/631,984 Active 2026-03-28 US7334254B1 (en) 2003-07-31 2003-07-31 Business-to-business security integration

Country Status (1)

Country Link
US (1) US7334254B1 (en)

Cited By (59)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040098619A1 (en) * 2002-11-18 2004-05-20 Trusted Network Technologies, Inc. System, apparatuses, methods, and computer-readable media for identification of user and/or source of communication in a network
US20050257249A1 (en) * 2004-05-14 2005-11-17 Trusted Network Technologies, Inc. System, apparatuses, methods and computer-readable media for determining security status of computer before establishing network connection second group of embodiments-claim set I
US20050257261A1 (en) * 2004-05-02 2005-11-17 Emarkmonitor, Inc. Online fraud solution
US20050262570A1 (en) * 2004-05-10 2005-11-24 Trusted Network Technologies, Inc. System, apparatuses, methods and computer-readable media for determining security status of computer before establishing connection thereto first group of embodiments-claim set 1
US20060068755A1 (en) * 2004-05-02 2006-03-30 Markmonitor, Inc. Early detection and monitoring of online fraud
US20060098649A1 (en) * 2004-11-10 2006-05-11 Trusted Network Technologies, Inc. System, apparatuses, methods, and computer-readable media for determining security realm identity before permitting network connection
US20060253446A1 (en) * 2005-05-03 2006-11-09 E-Lock Corporation Sdn. Bhd.. Internet security
US20070028301A1 (en) * 2005-07-01 2007-02-01 Markmonitor Inc. Enhanced fraud monitoring systems
US20070107053A1 (en) * 2004-05-02 2007-05-10 Markmonitor, Inc. Enhanced responses to online fraud
US20070192853A1 (en) * 2004-05-02 2007-08-16 Markmonitor, Inc. Advanced responses to online fraud
US20070250916A1 (en) * 2005-10-17 2007-10-25 Markmonitor Inc. B2C Authentication
US20070250919A1 (en) * 2005-11-10 2007-10-25 Markmonitor Inc. B2C Authentication System And Methods
US20070265835A1 (en) * 2006-05-09 2007-11-15 Bea Systems, Inc. Method and system for securing execution of untrusted applications
US20070294352A1 (en) * 2004-05-02 2007-12-20 Markmonitor, Inc. Generating phish messages
US20070300290A1 (en) * 2002-11-18 2007-12-27 Trusted Network Technologies Establishing Secure TCP/IP Communications Using Embedded IDs
US20070299777A1 (en) * 2004-05-02 2007-12-27 Markmonitor, Inc. Online fraud solution
US20080086764A1 (en) * 2006-10-06 2008-04-10 Rajandra Luxman Kulkarni Single-Party, Secured Multi-Channel Authentication
US20080086767A1 (en) * 2006-10-06 2008-04-10 Rajandra Luxman Kulkarni Multi-party, secure Multi-Channel Authentication
US20080086770A1 (en) * 2006-10-06 2008-04-10 Rajandra Luxman Kulkarni Single-Party, Secure Multi-Channel Authentication for Access to a Resource
US20080109365A1 (en) * 2006-11-07 2008-05-08 Fmr Corp. Granular customizable authentication for service provisioning
US20080127310A1 (en) * 2006-11-27 2008-05-29 Richard Allen Robbins Managing secure sharing of private information across security domains
US7571473B1 (en) 2005-06-10 2009-08-04 Sprint Communications Company L.P. Identity management system and method
US7716716B1 (en) * 2004-06-24 2010-05-11 Sprint Communications Company L.P. Method and system for architecting enterprise data security
US7823192B1 (en) * 2004-04-01 2010-10-26 Sprint Communications Company L.P. Application-to-application security in enterprise security services
US20110270885A1 (en) * 2010-04-28 2011-11-03 Salesforce.Com, Inc. Security configuration systems and methods for portal users in a multi-tenant database environment
US20120066773A1 (en) * 2010-09-15 2012-03-15 Bank Of America Information safeguard tool
US8195819B1 (en) 2009-07-13 2012-06-05 Sprint Communications Company L.P. Application single sign on leveraging virtual local area network identifier
US20120204221A1 (en) * 2009-10-22 2012-08-09 Universidad Politecnica De Madrid Method for managing access to protected resources in a computer network, physical entities and computer programs therefor
US20120317624A1 (en) * 2010-02-24 2012-12-13 Miguel Angel Monjas Llorente Method for managing access to protected resources and delegating authority in a computer network
US20130036455A1 (en) * 2010-01-25 2013-02-07 Nokia Siemens Networks Oy Method for controlling acess to resources
US8443429B1 (en) 2010-05-24 2013-05-14 Sprint Communications Company L.P. Integrated sign on
US8560861B1 (en) * 2003-06-16 2013-10-15 Microsoft Corporation Method and apparatus for communicating authorization data
US20140181894A1 (en) * 2012-12-23 2014-06-26 Vincent Edward Von Bokern Trusted container
US20150059006A1 (en) * 2013-08-23 2015-02-26 Cellco Partnership (D/B/A Verizon Wireless) Secure Device Management Abstraction and Unification Module
US8990942B2 (en) 2013-02-18 2015-03-24 Wipro Limited Methods and systems for API-level intrusion detection
US9026507B2 (en) 2004-05-02 2015-05-05 Thomson Reuters Global Resources Methods and systems for analyzing data related to possible online fraud
US9059987B1 (en) 2013-04-04 2015-06-16 Sprint Communications Company L.P. Methods and systems of using single sign-on for identification for a web server not integrated with an enterprise network
US9258274B2 (en) * 2014-07-09 2016-02-09 Shape Security, Inc. Using individualized APIs to block automated attacks on native apps and/or purposely exposed APIs
US9294478B2 (en) 2012-12-23 2016-03-22 Mcafee, Inc. Hardware-based device authentication
US9479529B2 (en) 2014-07-22 2016-10-25 Shape Security, Inc. Polymorphic security policy action
US9608975B2 (en) 2015-03-30 2017-03-28 Shape Security, Inc. Challenge-dynamic credential pairs for client/server request validation
US9716702B2 (en) 2014-05-29 2017-07-25 Shape Security, Inc. Management of dynamic credentials
US9729506B2 (en) 2014-08-22 2017-08-08 Shape Security, Inc. Application programming interface wall
US9800602B2 (en) 2014-09-30 2017-10-24 Shape Security, Inc. Automated hardening of web page content
US9954893B1 (en) 2014-09-23 2018-04-24 Shape Security, Inc. Techniques for combating man-in-the-browser attacks
US10027714B2 (en) * 2010-03-30 2018-07-17 Authentic8, Inc. Secure web container for a secure online user environment
US10050935B2 (en) * 2014-07-09 2018-08-14 Shape Security, Inc. Using individualized APIs to block automated attacks on native apps and/or purposely exposed APIs with forced user interaction
US10212130B1 (en) 2015-11-16 2019-02-19 Shape Security, Inc. Browser extension firewall
US10432616B2 (en) 2012-12-23 2019-10-01 Mcafee, Llc Hardware-based device authentication
US10542031B2 (en) 2015-02-20 2020-01-21 Authentic8, Inc. Secure application for accessing web resources
US10554621B2 (en) 2015-02-20 2020-02-04 Authentic8, Inc. Secure analysis application for accessing web resources
US10567419B2 (en) 2015-07-06 2020-02-18 Shape Security, Inc. Asymmetrical challenges for web security
US10686824B2 (en) 2015-02-20 2020-06-16 Authentic8, Inc. Secure analysis application for accessing web resources via URL forwarding
US10796305B1 (en) * 2007-12-04 2020-10-06 Ncr Corporation Anonymization and synchronization based on use of protected content
WO2021061942A1 (en) * 2019-09-25 2021-04-01 Valimail, Inc. Centralized session key issuance and rotation
US11032309B2 (en) 2015-02-20 2021-06-08 Authentic8, Inc. Secure application for accessing web resources
US11212283B2 (en) * 2018-11-05 2021-12-28 Wistron Corporation Method for authentication and authorization and authentication server using the same for providing user management mechanism required by multiple applications
US11356411B2 (en) 2015-02-20 2022-06-07 Authentic8, Inc. Secure analysis application for accessing web resources
US11637820B2 (en) * 2006-03-31 2023-04-25 Amazon Technologies, Inc. Customizable sign-on service

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6981139B2 (en) * 2003-06-25 2005-12-27 Ricoh Company, Ltd. Digital certificate management system, digital certificate management apparatus, digital certificate management method, update procedure determination method and program
US7185364B2 (en) * 2001-03-21 2007-02-27 Oracle International Corporation Access system interface

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7185364B2 (en) * 2001-03-21 2007-02-27 Oracle International Corporation Access system interface
US6981139B2 (en) * 2003-06-25 2005-12-27 Ricoh Company, Ltd. Digital certificate management system, digital certificate management apparatus, digital certificate management method, update procedure determination method and program

Cited By (110)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070300290A1 (en) * 2002-11-18 2007-12-27 Trusted Network Technologies Establishing Secure TCP/IP Communications Using Embedded IDs
US20040098620A1 (en) * 2002-11-18 2004-05-20 Trusted Network Technologies, Inc. System, apparatuses, methods, and computer-readable media using identification data in packet communications
US20040098619A1 (en) * 2002-11-18 2004-05-20 Trusted Network Technologies, Inc. System, apparatuses, methods, and computer-readable media for identification of user and/or source of communication in a network
US7823194B2 (en) 2002-11-18 2010-10-26 Liquidware Labs, Inc. System and methods for identification and tracking of user and/or source initiating communication in a computer network
US7660980B2 (en) 2002-11-18 2010-02-09 Liquidware Labs, Inc. Establishing secure TCP/IP communications using embedded IDs
US20080276297A1 (en) * 2002-11-18 2008-11-06 Trusted Network Technologies, Inc. System And Method For Intrusion Prevention In A Communications Network
US8560861B1 (en) * 2003-06-16 2013-10-15 Microsoft Corporation Method and apparatus for communicating authorization data
US7823192B1 (en) * 2004-04-01 2010-10-26 Sprint Communications Company L.P. Application-to-application security in enterprise security services
US9684888B2 (en) 2004-05-02 2017-06-20 Camelot Uk Bidco Limited Online fraud solution
US20060068755A1 (en) * 2004-05-02 2006-03-30 Markmonitor, Inc. Early detection and monitoring of online fraud
US20070192853A1 (en) * 2004-05-02 2007-08-16 Markmonitor, Inc. Advanced responses to online fraud
US9203648B2 (en) 2004-05-02 2015-12-01 Thomson Reuters Global Resources Online fraud solution
US8041769B2 (en) 2004-05-02 2011-10-18 Markmonitor Inc. Generating phish messages
US7913302B2 (en) 2004-05-02 2011-03-22 Markmonitor, Inc. Advanced responses to online fraud
US20070294352A1 (en) * 2004-05-02 2007-12-20 Markmonitor, Inc. Generating phish messages
US7870608B2 (en) 2004-05-02 2011-01-11 Markmonitor, Inc. Early detection and monitoring of online fraud
US20070299777A1 (en) * 2004-05-02 2007-12-27 Markmonitor, Inc. Online fraud solution
US9356947B2 (en) 2004-05-02 2016-05-31 Thomson Reuters Global Resources Methods and systems for analyzing data related to possible online fraud
US20070107053A1 (en) * 2004-05-02 2007-05-10 Markmonitor, Inc. Enhanced responses to online fraud
US20050257261A1 (en) * 2004-05-02 2005-11-17 Emarkmonitor, Inc. Online fraud solution
US8769671B2 (en) 2004-05-02 2014-07-01 Markmonitor Inc. Online fraud solution
US9026507B2 (en) 2004-05-02 2015-05-05 Thomson Reuters Global Resources Methods and systems for analyzing data related to possible online fraud
US20050262570A1 (en) * 2004-05-10 2005-11-24 Trusted Network Technologies, Inc. System, apparatuses, methods and computer-readable media for determining security status of computer before establishing connection thereto first group of embodiments-claim set 1
US7549159B2 (en) 2004-05-10 2009-06-16 Liquidware Labs, Inc. System, apparatuses, methods and computer-readable media for determining the security status of a computer before establishing connection thereto
US7591001B2 (en) 2004-05-14 2009-09-15 Liquidware Labs, Inc. System, apparatuses, methods and computer-readable media for determining the security status of a computer before establishing a network connection
US20050257249A1 (en) * 2004-05-14 2005-11-17 Trusted Network Technologies, Inc. System, apparatuses, methods and computer-readable media for determining security status of computer before establishing network connection second group of embodiments-claim set I
US7716716B1 (en) * 2004-06-24 2010-05-11 Sprint Communications Company L.P. Method and system for architecting enterprise data security
US20060098649A1 (en) * 2004-11-10 2006-05-11 Trusted Network Technologies, Inc. System, apparatuses, methods, and computer-readable media for determining security realm identity before permitting network connection
US20060253446A1 (en) * 2005-05-03 2006-11-09 E-Lock Corporation Sdn. Bhd.. Internet security
US8843516B2 (en) * 2005-05-03 2014-09-23 E-Lock Corporation Sdn. Bhd. Internet security
US7571473B1 (en) 2005-06-10 2009-08-04 Sprint Communications Company L.P. Identity management system and method
US20070028301A1 (en) * 2005-07-01 2007-02-01 Markmonitor Inc. Enhanced fraud monitoring systems
US20070250916A1 (en) * 2005-10-17 2007-10-25 Markmonitor Inc. B2C Authentication
US20070250919A1 (en) * 2005-11-10 2007-10-25 Markmonitor Inc. B2C Authentication System And Methods
US11637820B2 (en) * 2006-03-31 2023-04-25 Amazon Technologies, Inc. Customizable sign-on service
US20070265835A1 (en) * 2006-05-09 2007-11-15 Bea Systems, Inc. Method and system for securing execution of untrusted applications
US7979891B2 (en) * 2006-05-09 2011-07-12 Oracle International Corporation Method and system for securing execution of untrusted applications
US20080086767A1 (en) * 2006-10-06 2008-04-10 Rajandra Luxman Kulkarni Multi-party, secure Multi-Channel Authentication
US8474028B2 (en) * 2006-10-06 2013-06-25 Fmr Llc Multi-party, secure multi-channel authentication
US8671444B2 (en) 2006-10-06 2014-03-11 Fmr Llc Single-party, secure multi-channel authentication for access to a resource
US20080086770A1 (en) * 2006-10-06 2008-04-10 Rajandra Luxman Kulkarni Single-Party, Secure Multi-Channel Authentication for Access to a Resource
US20080086764A1 (en) * 2006-10-06 2008-04-10 Rajandra Luxman Kulkarni Single-Party, Secured Multi-Channel Authentication
US8434133B2 (en) 2006-10-06 2013-04-30 Fmr Llc Single-party, secure multi-channel authentication
US20080109874A1 (en) * 2006-11-07 2008-05-08 Fmr Corp. Life cycle management of authentication rules for service provisioning
US20080109873A1 (en) * 2006-11-07 2008-05-08 Fmr Corp. Acquisition of authentication rules for service provisioning
US20080109365A1 (en) * 2006-11-07 2008-05-08 Fmr Corp. Granular customizable authentication for service provisioning
US8356341B2 (en) 2006-11-07 2013-01-15 Fmr Llc. Life cycle management of authentication rules for service provisioning
US8505077B2 (en) 2006-11-07 2013-08-06 Fmr Llc Acquisition of authentication rules for service provisioning
US8613054B2 (en) * 2006-11-27 2013-12-17 Therap Services Llc Managing secure sharing of private information across security domains using an access profile
US20080127310A1 (en) * 2006-11-27 2008-05-29 Richard Allen Robbins Managing secure sharing of private information across security domains
US9794257B2 (en) * 2006-11-27 2017-10-17 Therap Services, Llc Managing secure sharing of private information across security domains by individuals having a service authorization
US20140331290A1 (en) * 2006-11-27 2014-11-06 Therap Services, Llc Managing Secure Sharing of Private Information Across Security Domains by Individuals Having a Service Authorization
US8281370B2 (en) * 2006-11-27 2012-10-02 Therap Services LLP Managing secure sharing of private information across security domains
US20130007851A1 (en) * 2006-11-27 2013-01-03 Therap Services, Llc Method and System for Managing Secure Sharing of Private Information Across Security Domains Using an Authorization Profile
US8615790B2 (en) * 2006-11-27 2013-12-24 Therap Services Llc Managing secure sharing of private information across security domains using multiple caseloads
US20130007897A1 (en) * 2006-11-27 2013-01-03 Therap Services, Llc Method and System for Managing Secure Sharing of Private Information Across Security Domains
US10796305B1 (en) * 2007-12-04 2020-10-06 Ncr Corporation Anonymization and synchronization based on use of protected content
US8195819B1 (en) 2009-07-13 2012-06-05 Sprint Communications Company L.P. Application single sign on leveraging virtual local area network identifier
US20120204221A1 (en) * 2009-10-22 2012-08-09 Universidad Politecnica De Madrid Method for managing access to protected resources in a computer network, physical entities and computer programs therefor
US8595494B2 (en) * 2009-10-22 2013-11-26 Telefonaktiebolaget Lm Ericsson Method for managing access to protected resources in a computer network, physical entities and computer programs therefor
US20130036455A1 (en) * 2010-01-25 2013-02-07 Nokia Siemens Networks Oy Method for controlling acess to resources
US8819784B2 (en) * 2010-02-24 2014-08-26 Telefonaktiebolaget Lm Ericsson (Publ) Method for managing access to protected resources and delegating authority in a computer network
US20120317624A1 (en) * 2010-02-24 2012-12-13 Miguel Angel Monjas Llorente Method for managing access to protected resources and delegating authority in a computer network
US11044275B2 (en) * 2010-03-30 2021-06-22 Authentic8, Inc. Secure web container for a secure online user environment
US11838324B2 (en) 2010-03-30 2023-12-05 Authentic8, Inc. Secure web container for a secure online user environment
US10581920B2 (en) * 2010-03-30 2020-03-03 Authentic8, Inc. Secure web container for a secure online user environment
US20180332080A1 (en) * 2010-03-30 2018-11-15 Authentic8, Inc. Secure Web Container for a Secure Online User Environment
US10027714B2 (en) * 2010-03-30 2018-07-17 Authentic8, Inc. Secure web container for a secure online user environment
US20110270885A1 (en) * 2010-04-28 2011-11-03 Salesforce.Com, Inc. Security configuration systems and methods for portal users in a multi-tenant database environment
US9355270B2 (en) * 2010-04-28 2016-05-31 Salesforce.Com, Inc. Security configuration systems and methods for portal users in a multi-tenant database environment
US8443429B1 (en) 2010-05-24 2013-05-14 Sprint Communications Company L.P. Integrated sign on
US8453258B2 (en) * 2010-09-15 2013-05-28 Bank Of America Corporation Protecting an electronic document by embedding an executable script
US20120066773A1 (en) * 2010-09-15 2012-03-15 Bank Of America Information safeguard tool
US10757094B2 (en) 2012-12-23 2020-08-25 Mcafee, Llc Trusted container
US11245687B2 (en) 2012-12-23 2022-02-08 Mcafee, Llc Hardware-based device authentication
US20140181894A1 (en) * 2012-12-23 2014-06-26 Vincent Edward Von Bokern Trusted container
US9294478B2 (en) 2012-12-23 2016-03-22 Mcafee, Inc. Hardware-based device authentication
US10432616B2 (en) 2012-12-23 2019-10-01 Mcafee, Llc Hardware-based device authentication
US10333926B2 (en) 2012-12-23 2019-06-25 Mcafee, Llc Trusted container
US9928360B2 (en) 2012-12-23 2018-03-27 Mcafee, Llc Hardware-based device authentication
US9419953B2 (en) * 2012-12-23 2016-08-16 Mcafee, Inc. Trusted container
US10083290B2 (en) 2012-12-23 2018-09-25 Mcafee, Llc Hardware-based device authentication
US8990942B2 (en) 2013-02-18 2015-03-24 Wipro Limited Methods and systems for API-level intrusion detection
US9059987B1 (en) 2013-04-04 2015-06-16 Sprint Communications Company L.P. Methods and systems of using single sign-on for identification for a web server not integrated with an enterprise network
US9576153B2 (en) * 2013-08-23 2017-02-21 Cellco Partnership Device and method for providing information from a backend component to a frontend component by a secure device management abstraction and unification module
US20150059006A1 (en) * 2013-08-23 2015-02-26 Cellco Partnership (D/B/A Verizon Wireless) Secure Device Management Abstraction and Unification Module
US9716702B2 (en) 2014-05-29 2017-07-25 Shape Security, Inc. Management of dynamic credentials
US11552936B2 (en) 2014-05-29 2023-01-10 Shape Security, Inc. Management of dynamic credentials
US10050935B2 (en) * 2014-07-09 2018-08-14 Shape Security, Inc. Using individualized APIs to block automated attacks on native apps and/or purposely exposed APIs with forced user interaction
US9258274B2 (en) * 2014-07-09 2016-02-09 Shape Security, Inc. Using individualized APIs to block automated attacks on native apps and/or purposely exposed APIs
US9479529B2 (en) 2014-07-22 2016-10-25 Shape Security, Inc. Polymorphic security policy action
US9729506B2 (en) 2014-08-22 2017-08-08 Shape Security, Inc. Application programming interface wall
US9954893B1 (en) 2014-09-23 2018-04-24 Shape Security, Inc. Techniques for combating man-in-the-browser attacks
US10033755B2 (en) 2014-09-30 2018-07-24 Shape Security, Inc. Securing web page content
US9800602B2 (en) 2014-09-30 2017-10-24 Shape Security, Inc. Automated hardening of web page content
US11356412B2 (en) 2015-02-20 2022-06-07 Authentic8, Inc. Secure analysis application for accessing web resources
US10554621B2 (en) 2015-02-20 2020-02-04 Authentic8, Inc. Secure analysis application for accessing web resources
US11032309B2 (en) 2015-02-20 2021-06-08 Authentic8, Inc. Secure application for accessing web resources
US10686824B2 (en) 2015-02-20 2020-06-16 Authentic8, Inc. Secure analysis application for accessing web resources via URL forwarding
US10542031B2 (en) 2015-02-20 2020-01-21 Authentic8, Inc. Secure application for accessing web resources
US11563766B2 (en) 2015-02-20 2023-01-24 Authentic8, Inc. Secure application for accessing web resources
US11356411B2 (en) 2015-02-20 2022-06-07 Authentic8, Inc. Secure analysis application for accessing web resources
US11310260B2 (en) 2015-02-20 2022-04-19 Authentic8, Inc. Secure analysis application for accessing web resources
US9608975B2 (en) 2015-03-30 2017-03-28 Shape Security, Inc. Challenge-dynamic credential pairs for client/server request validation
US10567419B2 (en) 2015-07-06 2020-02-18 Shape Security, Inc. Asymmetrical challenges for web security
US10212130B1 (en) 2015-11-16 2019-02-19 Shape Security, Inc. Browser extension firewall
US11212283B2 (en) * 2018-11-05 2021-12-28 Wistron Corporation Method for authentication and authorization and authentication server using the same for providing user management mechanism required by multiple applications
WO2021061942A1 (en) * 2019-09-25 2021-04-01 Valimail, Inc. Centralized session key issuance and rotation
US11063763B2 (en) 2019-09-25 2021-07-13 Valimail Inc. Centralized session key issuance and rotation
US11909880B2 (en) 2019-09-25 2024-02-20 Valimail Inc. Centralized credential issuance and rotation

Similar Documents

Publication Publication Date Title
US7334254B1 (en) Business-to-business security integration
US7263717B1 (en) Integrated security framework and privacy database scheme
KR100800339B1 (en) Method and system for user-determined authentication and single-sign-on in a federated environment
US8578465B2 (en) Token-based control of permitted sub-sessions for online collaborative computing sessions
US7010600B1 (en) Method and apparatus for managing network resources for externally authenticated users
US8434133B2 (en) Single-party, secure multi-channel authentication
US8671444B2 (en) Single-party, secure multi-channel authentication for access to a resource
US6993596B2 (en) System and method for user enrollment in an e-community
US8474028B2 (en) Multi-party, secure multi-channel authentication
KR100702421B1 (en) Method and system for web-based cross-domain single-sign-on authentication
US8006289B2 (en) Method and system for extending authentication methods
US8060632B2 (en) Method and system for user-determined attribute storage in a federated environment
US9143502B2 (en) Method and system for secure binding register name identifier profile
US20080271121A1 (en) External user lifecycle management for federated environments
US20040006710A1 (en) Computer security system
US20060218628A1 (en) Method and system for enhanced federated single logout
US7346930B1 (en) Security framework bridge
WO2005069823A2 (en) Centralized transactional security audit for enterprise systems
JP4913457B2 (en) Federated authentication method and system for servers with different authentication strengths
CN112468481B (en) Single-page and multi-page web application identity integrated authentication method based on CAS
AU2007303059B2 (en) Secure multi-channel authentication
JP2003022253A (en) Server, information processor, its access control system and method
US20100031317A1 (en) Secure access
CN102739664A (en) Method for improving security of network identity authentication and devices
US7257834B1 (en) Security framework data scheme

Legal Events

Date Code Title Description
AS Assignment

Owner name: SPRINT COMMUNICATIONS COMPANY, L.P., KANSAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BOYDSTUN, KENNETH C.;BALASUBRAMANIAN, BALA;ALLABABIDI, MOUAZ;AND OTHERS;REEL/FRAME:014365/0680;SIGNING DATES FROM 20030721 TO 20030729

STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

FPAY Fee payment

Year of fee payment: 8

AS Assignment

Owner name: DEUTSCHE BANK TRUST COMPANY AMERICAS, NEW YORK

Free format text: GRANT OF FIRST PRIORITY AND JUNIOR PRIORITY SECURITY INTEREST IN PATENT RIGHTS;ASSIGNOR:SPRINT COMMUNICATIONS COMPANY L.P.;REEL/FRAME:041895/0210

Effective date: 20170203

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12

AS Assignment

Owner name: SPRINT COMMUNICATIONS COMPANY L.P., KANSAS

Free format text: TERMINATION AND RELEASE OF FIRST PRIORITY AND JUNIOR PRIORITY SECURITY INTEREST IN PATENT RIGHTS;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:052969/0475

Effective date: 20200401

Owner name: DEUTSCHE BANK TRUST COMPANY AMERICAS, NEW YORK

Free format text: SECURITY AGREEMENT;ASSIGNORS:T-MOBILE USA, INC.;ISBV LLC;T-MOBILE CENTRAL LLC;AND OTHERS;REEL/FRAME:053182/0001

Effective date: 20200401

AS Assignment

Owner name: T-MOBILE INNOVATIONS LLC, KANSAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SPRINT COMMUNICATIONS COMPANY L.P.;REEL/FRAME:055604/0001

Effective date: 20210303

AS Assignment

Owner name: SPRINT SPECTRUM LLC, KANSAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001

Effective date: 20220822

Owner name: SPRINT INTERNATIONAL INCORPORATED, KANSAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001

Effective date: 20220822

Owner name: SPRINT COMMUNICATIONS COMPANY L.P., KANSAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001

Effective date: 20220822

Owner name: SPRINTCOM LLC, KANSAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001

Effective date: 20220822

Owner name: CLEARWIRE IP HOLDINGS LLC, KANSAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001

Effective date: 20220822

Owner name: CLEARWIRE COMMUNICATIONS LLC, KANSAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001

Effective date: 20220822

Owner name: BOOST WORLDWIDE, LLC, KANSAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001

Effective date: 20220822

Owner name: ASSURANCE WIRELESS USA, L.P., KANSAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001

Effective date: 20220822

Owner name: T-MOBILE USA, INC., WASHINGTON

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001

Effective date: 20220822

Owner name: T-MOBILE CENTRAL LLC, WASHINGTON

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001

Effective date: 20220822

Owner name: PUSHSPRING, LLC, WASHINGTON

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001

Effective date: 20220822

Owner name: LAYER3 TV, LLC, WASHINGTON

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001

Effective date: 20220822

Owner name: IBSV LLC, WASHINGTON

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:DEUTSCHE BANK TRUST COMPANY AMERICAS;REEL/FRAME:062595/0001

Effective date: 20220822